Notice
of a new data breach is posted at least once a day. A frequent
feature of many notices is the disclosure that the conduct giving
rise to the breach happened months earlier, with the delay sometimes
going into years in some instances.

The
notices typically do not provide much insight into the reasoning for
the delays, which gives rise to the question; when should notice of a
data breach be provided?

The
answer is seemingly straightforward. The HIPAA data breach
notification rule states that, absent certain narrow exceptions, a
covered entity needs to provide notice without unreasonable delay,
which should be no more than 60 days following discovery of the
breach.

The
language “without unreasonable delay” is key.

Read
more of Matt’s commentary on Health
Data Management The
issue of when a breach is considered “discovered” for purposes of
starting any clock is one I grapple with on almost a daily basis.
Matt seems to take a fairly firm position about what “discovered”
means, but I am aware that there are entities who argue to the effect
of “Well, how do you know who to notify and what to tell them if
you are still investigating at 60 days?”

That
seems to be a fairly logical argument, until I respond, “Well,
why couldn’t you have have determined that sooner?” Did you
allow too much ePHI to accumulate in employees’ email accounts?
Did you fail to check logs regularly? Did you not hire enough people
to investigate this breach intensively?” When did you start the
intensive investigation after discovery?

But
then, it’s easy to sit at a desk in my office and lob questions at
entities when I would not want to change places with those trying to
respond to an incident.

As
we reported, in
late February, California Attorney General Xavier Becerra and Senator
Hannah-Beth Jackson introduced Senate
Bill 561, legislation
intended to strengthen and clarify the California Consumer Privacy
Act (CCPA). This week, the Senate Judiciary Committee referred the
bill to the Senate Appropriations Committee by a vote of 6-2. This
move came despite concerns raised about the scope of the amendment’s
expanded private right of action. It is worth noting that a
restricted private right of action is believed to have been
fundamental to the compromise that led to the CCPA becoming law.

If
SB 561 becomes law, it would make a number of significant changes to
the current law.

A
comprehensive new study (“2019 Data Privacy Maturity Study”) from
Seattle-based Integris
Softwaresuggests
that many mid- to large-sized enterprises simply are not prepared for
the avalanche of private data in the marketplace today, or for the
growing proliferation of data sharing agreements with other
companies. Add in the fact that government regulations appear to be
mushrooming on a state-by-state basis across the United States, and
it’s easy to see why a clear majority (79%) of these enterprises
now support a federal privacy law that would provide clear guidelines
on data sharing and data inventory practices.

… However,
the big question is whether enterprises are really able to scale
their data sharing and data inventory practices past a certain level.
Enterprises with more than 500 employees, for example, typically
have far-flung operations all over the globe. Moreover, they have a
huge network of vendors, suppliers and partners. Recognizing the
inherent complexity involved in navigating all of this personal data,
only
23% of enterprises said they were ready for the upcoming California
Consumer Privacy Act,
which is set to go into effect in 2020. Moreover, only
36% said they were ready for the General Data Protection Regulation
(GDPR), which went into effect in May 2018. This last figure is
particularly troubling, because it has now been almost one year since
the GDPR went into effect, and the majority of enterprises are still
having a hard time coping with the new rules surrounding data
subjects, data mapping, data sharing and data inventory.

[From
the report:

Forward
looking organizations are treating privacy as part of a broader data
protection strategy where privacy
tells you what’s important and why, and security is the how.

It
has been rough weather for Googlein
France. Three weeks after the French
‎Data Protection Authorityimposed
a record fine against Google for non-compliance with the GDPR,
the Paris District Court (“Tribunal de Grande Instance”)
invalidated 38 clauses of Google’s Privacy Policy and Terms of Use
for Google+, the Internet-based social media network owned and
operated by Google. This decision was rendered on February 12, 2019
in an action that was initiated against Google Inc. in 2014 by an old
French consumer not-for-profit organization, UFC
QueChoisir.

… Traditional
theist religions have “turned from a creative into a reactive
force,” as historian Yuval Noah Harari put it in his 2016 book,
Homo
Deus.
“They now mostly agonize over the technologies, methods and ideas
propagated by other movements.”

That
reputation makes a statement on artificial intelligence released
Thursday by the Southern Baptist Convention all the more intriguing.
The SBC’s public-policy arm, the Ethics and Religious Liberty
Commission, spent nine months researching and writing “Artificial
Intelligence: An Evangelical Statement of Principles,”
and it has been signed by 68 prominent evangelical thinkers. The
brief document is intended to respond to the “existential
questions” raised by A.I. technology. It takes a strikingly
optimistic tone in doing so. “This was created not out of fear,
but out of an understanding that [A.I.] is a tool that God has given
us,” said Jason Thacker, who headed the project at the ERLC.

Any
technology invented before the Civil War is not advisable in modern
business.

EU Tells
Internet Archive That Much Of Its Site Is 'Terrorist Content'

We've
been trying to explain for the past few months just how absolutely
insane
the new EU Terrorist Content Regulation will be for the internet.
Among many other bad provisions, the big one is that it would require
content removal within one
hour as long as any "competent authority" within the EU
sends a notice of content being designated as "terrorist"
content. The law is set
for a vote
in the EU Parliament just next week.

You
may get answers to these questions next Friday at the Privacy
Foundation Seminar on the CCPA. (See details at
https://www.law.du.edu/privacy-foundation)
Their seminar on GDPR completely changed the way I teach my Computer
Security and System Architecture classes.

Companies
Are Ready and Willing to Comply with CCPA – But First, They Need to
Know How

No
one disputes the importance of guarding the privacy of consumer
information. But the recently enacted California Consumer Privacy
Act (CCPA) threatens businesses with potentially crippling
liabilities, while also harming consumers who benefit from innovation
(including new ways to use data to offer personalized services and
product recommendations) and enjoy free services made possible by
data collection, processing and usage.

California’s
Attorney General and legislature are currently proposing amendments
to the law. Their proposals, however, may do little to aid
businesses in knowing how to comply with CCPA, and may instead
dramatically increase liability risks for non-compliance. Indeed,
the amendments currently
under consideration appear calculated to please the plaintiff class
action bar above all others. The proposed amendments
would incentivize private enforcers to sue defendants for
annihilating penalties, even where the alleged violations are morally
blameless and do not cause actual harm, while also removing the
limited mechanisms currently available by which companies can obtain
guidance on how to comply.

Facebook owned Instagram is making tweaks to the
Community Guidelines that dictate the posts that you see in the
recommendations as well as with hashtag searches. The social network
is reworking the algorithms to filter out posts that could be labeled
as “inappropriate” but may actually not be breaking any rules or
going against community guidelines.

“We have begun reducing the spread of posts that
are inappropriate but do not go against Instagram’s Community
Guidelines, limiting those types of posts from being recommended on
our Explore and hashtag pages,” says Instagram in an official post.
But what sort of posts would these be?

Apparently, Instagram will judge the content of
each post and then decide whether it violates any community
guidelines or not. If it doesn’t, but Instagram still doesn’t
like the looks of it, the post will be classified as “inappropriate”
and sent to sit on the naughty step. Instagram gives the example of
a sexually suggestive post, which may be targeted in this new regime
where artificially
intelligent algorithms and machine learning are possibly going to
dictate morals and perhaps more.

Instagram
says such a post will still appear on your Feed if you follow the
account that posts it. [So
you can still see what the Grand Kleagle has to say, but recruiting
new klansmen might become a bit more difficult. Bob]
However, these posts will be downrated in a way, and may not appear
in the Explore tab, the hashtag pages as well as when a user makes a
specific search with a hashtag.

How
the Navy’s top commander botched the service's highest-profile
investigation in years

… One
officer asked a question that touched on a sensitive topic: two
collisions of warships in the Pacific in the summer of 2017 that left
17 sailors dead in the Navy's worst maritime accidents in decades.

The
Navy had recently announced that it would criminally prosecute the
captains of the vessels and several crew members for negligence
leading to the fatal accidents. The questioner wanted to know
whether officers now had to worry about being charged with a crime
for making what could be regarded as a mistake.

Richardson
answered by saying that he could not discuss pending cases. As a
bedrock principle of military law, commanders cannot signal a
preferred outcome. But then, almost as an afterthought, he attempted
to reassure the man that the collisions were no accidents.

“I
have seen the entire investigation. Trust me, if you had seen what I
have seen, it was negligent," Richardson told the audience,
according to court records.

Pollio,
a Navy attorney, was alarmed. It appeared to her that Richardson had
effectively pronounced guilt before trial. And he had done so in
public, in front of an audience whose members could conceivably
participate in the military's judicial proceedings.

This is sort
of a: Microsoft wouldn’t let us have data stored in Ireland, so
we wrote a law so now they have to.

Get
out of the house with these free tickets to outdoor events for
veterans and their families

… Below is
a sampling of the hundreds of events Vet Tix has free tickets to for
Vet Tix members. Don't see anything in your area? We get new events
daily so be sure to check your emails for new events.

April
22nd – Denver, Co., Colorado Rockies vs. Washington Nationals

May
18th – Morrison, CO. – Napa Night of Fire & Thunder

To
become a VetTixer and to request tickets to these and hundreds of
other events, which are free except for a very small delivery fee,
visit
VetTix.org to create a free account.
Once you've created an account and we've verified your status as
military or a veteran, you can review hundreds of upcoming events
across the country.

Thursday, April 11, 2019

A
small aftermarket telematics unit from Montreal, Canada-based
AutoMobility, MyCar provides users with a series of
smartphone-controlled features for their cars, including geolocation,
remote start/stop and lock/unlock capabilities.

“The
easy-to-use MyCar app interface gives you control to remote start,
lock, unlock and locate your vehicle from anywhere just by pushing a
button on your smartphone,” the vendor says.

… Hardcoded
admin credentials found in the MyCar Controls mobile apps can be used
to communicate with the server endpoint for a targeted user’s
account, without having their username and password.

… “A
remote un-authenticated attacker may be able to send commands to and
retrieve data from a target MyCar unit. This may allow the attacker
to learn the location of a target, or gain unauthorized physical
access to a vehicle,” Carnegie Mellon University’s CERT
Coordination Center notes in a security alert.

Transparency
tool on FB inadvertently provides window into confusing maze of
companies who have your data

BuzzFeedNews–
“On
Facebook under Settings, there’s a page in the Ads section where
you can view your Ad Preferences. Most of this is fairly
straightforward — choices about how you’ll allow ads and how
advertisers target you based on things like what pages you’ve
liked. But there’s one section there that will probably surprise
you: a list of advertisers “Who use a contact list added to
Facebook.”… According to the description, “These advertisers
are running ads using a contact list they or their partner uploaded
that includes info about you. This info was collected by the
advertiser or their partner. Typically this information is your
email address or phone number.” The list of Advertisers, a feature
Facebook added for transparency, is incomprehensible to anyone who
isn’t an expert in advertising (and even some who are!), and leads
to the unsettling realization that…, man, our data is out there and
trafficked without our consent and being used by advertisers in ways
we have no clue about…”

a monthslong
initiative to explore the technology, to envision where it’s taking
us, and to convene debate about how we should control it to best
realize, rather than stunt or distort, human potential.

… In
an attempt to to build in transparency and accountability into the
next generation of world-changing technology, American lawmakers
introduced a bill on Wednesday to
require large companies to audit machine learning systems for bias.

… Amazon.com
Inc. employs thousands of people around the world to help improve the
Alexa digital assistant powering its line of Echo speakers. The team
listens to voice recordings captured in Echo owners’ homes
and offices.
The recordings are transcribed, annotated and then fed back into the
software as part of an effort to eliminate gaps in Alexa’s
understanding of human speech and help it better respond to commands.

… Occasionally
the listeners pick up things Echo owners likely would rather stay
private: a woman singing badly off key in the shower, say, or a
child screaming for help.
The teams use internal chat rooms to share files when they need help
parsing a muddled word—or come across an
amusing recording.

(Related)
Customers are told it may reduce the cost of their insurance. Could
it also cause them to be dropped from any insurance plan?

This
is the cutting edge of the insurance industry, adjusting premiums and
policies based on new forms of surveillance. It will affect your
life insurance, your car insurance and your homeowner’s insurance —
if it hasn’t already. If the Affordable Care Act’s protections
for people with
pre-existing conditionsshould
vanish, it will no doubt penetrate the health
insurance industryas
well.

Video footage shows
Julian Assange being dragged from the Ecuadorian embassy in London

Mr Assange
took refuge in the embassy seven years ago to avoid extradition to
Sweden over a sexual assault case that has since been dropped.

… Ecuador's
president said it withdrew his asylum after repeated violations of
international conventions.

… But
he still faces a lesser charge of skipping bail in 2012 and he says
this could lead to an extradition to the US for publishing US secrets
on the Wikileaks website.

Scotland Yard
said it was invited into the embassy by the ambassador, following the
Ecuadorian government's withdrawal of asylum.

After his
arrest for failing to surrender to the court, police said he had been
further arrested on behalf of US authorities under an extradition
warrant.

… Press
freedom organisation Reporters Without Borders said that the UK
should resist extradition, because it would "set a dangerous
precedent for journalists, whistleblowers, and other journalistic
sources that the US may wish to pursue in the future".

An
Amazon spokesperson later
told CNBCthat
those additional mechanisms included accepting cash. "You’ll
check out, pay with cash, and then get your change,”
the spokesperson said. [What
a bold new concept! Bob]

My
guess is that President Trump’s Library will be measured in
“Tweets.”

The
Atlantic – The
question now is how to leverage its nature to make it maximally
useful and used…
”The
debate about the Obama library exhibits a fundamental confusion.
Given its origins and composition, the Obama library is already
largely
digital. The vast majority of the record his presidency left behind
consists not of evocative handwritten notes, printed cable
transmissions, and black-and-white photographs, but email,
Word documents, and JPEGs.
The question now is how to leverage its digital nature to make it
maximally useful and used…the record of President Obama’s White
House: 1.5 billion “pages” in the initial collection, already
more than 33 times the size of President Johnson’s library. I
use “pages” because the Obama Foundation has
notedthat
“95 percent of the Obama Presidential Records were created
digitally and have no paper equivalents.”
The email record alone for these eight years is 300 million
messages, which NARA (the U.S. National Archives and Records
Administration) estimates amounts to more than a billion printed
pages. In addition, millions of other “pages” associated with
the Obama administration are word-processing documents, spreadsheets,
or PDFs, or were posted on websites,
apps, and social media.
Much of the photographic
and video recordis
also born-digital. There are also 30 million actual pages on paper,
which are currently stored in a suburb near Chicago. Given the
likelihood that a decent portion of this paper record actually came
from digital files—think about all of the printouts of PDFs, for
instance—only
a miniscule portion of what we have from Obama’s White House is
paper-only…”

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.